Back

Instructure's Canvas LMS Faces Dual Cyberattacks by ShinyHunters

Severity: High (Score: 66.0)

Sources: www.cybersecuritydive.com, Scworld, www.instructure.com, Darkreading, www.silverfort.com

Summary

Instructure's Canvas learning management system was compromised twice by the ShinyHunters cybercriminal group in May 2026, affecting over 30 million students across 9,000 educational institutions. The initial breach occurred on April 29, 2026, leading to the exposure of user data, including names and emails. Instructure claimed to have resolved the issue by May 6, but a subsequent attack on May 7 resulted in a ransom demand and the threat of releasing 3.65 terabytes of sensitive data. The House Committee on Homeland Security has requested Instructure's CEO to testify regarding the incidents and the company's cybersecurity measures. Lawmakers are particularly concerned about the company's ability to manage vulnerabilities and the potential ransom payment. The second attack exploited cross-site scripting (XSS) vulnerabilities, raising alarms about the security of educational technology platforms. Instructure stated that no customers would be extorted as a result of the incident, claiming that the stolen data was returned. Key Points: • Instructure's Canvas LMS was hacked twice by ShinyHunters, impacting 30 million students. • The first breach revealed user data, while the second attack involved a ransom demand. • Lawmakers are investigating Instructure's cybersecurity response and vulnerability management.

Key Entities

  • Data Breach (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Sql Injection (attack_type)
  • XSS (vulnerability)
  • Chanel (company)
  • Instructure (company)
  • Qantas Airways (company)
  • Salesforce (company)
  • Education (company)
  • CWE-120 - Classic Buffer Overflow (cwe)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • Cwe-89 - SQL Injection (cwe)
  • Transportation (industry)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • Canvas (tool)
  • ShinyHunters (apt_group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed